Windows Analysis Report
tatuJHXSR4.exe

Overview

General Information

Sample name:	tatuJHXSR4.exe renamed because original name is a hash value
Original sample name:	2a5f40e3ee04057e88c8b794ff258fd4.exe
Analysis ID:	1416003
MD5:	2a5f40e3ee04057e88c8b794ff258fd4
SHA1:	590e7f9870f13c8a2c060a6f2cb1bdf97901605c
SHA256:	30e8530fe027064f03f21e5dfc5d560338f8781c8133885b223ff3456ff16b65
Tags:	64exetrojan
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected LummaC Stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Found malware configuration

Source: 3.3.tatuJHXSR4.exe.22464aa0000.3.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["pillowbrocccolipe.shop", "communicationgenerwo.shop", "diskretainvigorousiw.shop", "affordcharmcropwo.shop", "dismissalcylinderhostw.shop", "enthusiasimtitleow.shop", "worryfillvolcawoi.shop", "cleartotalfisherwo.shop", "communicationgenerwo.shop"], "Build id": "uYY3NI--"}

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pillowbrocccolipe.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: communicationgenerwo.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: diskretainvigorousiw.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: affordcharmcropwo.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: dismissalcylinderhostw.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: enthusiasimtitleow.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: worryfillvolcawoi.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cleartotalfisherwo.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: communicationgenerwo.shop
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String decryptor: uYY3NI--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 6_2_007657B1 CryptUnprotectData,

6_2_007657B1

Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49735 version: TLS 1.2

Source: tatuJHXSR4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: BitLockerToGo.pdb source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000262000.00000004.00001000.00020000.00000000.sdmp, tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000180000.00000004.00001000.00020000.00000000.sdmp, tatuJHXSR4.exe, 00000003.00000003.2359889162.0000022464A50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000262000.00000004.00001000.00020000.00000000.sdmp, tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000180000.00000004.00001000.00020000.00000000.sdmp, tatuJHXSR4.exe, 00000003.00000003.2359889162.0000022464A50000.00000004.00001000.00020000.00000000.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Directory queried: number of queries: 1001

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+10h]	6_2_00759750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	6_2_00759750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	6_2_007667E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	6_2_0076DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	6_2_0076DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then push edi	6_2_00763CF3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	6_2_00765DA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_00765DA9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi+10h]	6_2_00764075
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ecx, dword ptr [esp+000000ACh]	6_2_0076A181
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esi]	6_2_0078426F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	6_2_0076A2B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov esi, dword ptr [esp+10h]	6_2_00759290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov word ptr [eax], cx	6_2_0076A31D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	6_2_0077E570
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [edx-08h], 542C2D52h	6_2_00787500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp dword ptr [eax-08h], A352EDFDh	6_2_00769732
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	6_2_00766729
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	6_2_007718A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edi, dword ptr [esi+08h]	6_2_0076A9F4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esi+10h]	6_2_0076F990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	6_2_0076CBF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	6_2_00784BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov byte ptr [ebx], al	6_2_00771BC5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov eax, dword ptr [0078D3C8h]	6_2_00764C63
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then jmp eax	6_2_00784C45
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov ebx, eax	6_2_00752CF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	6_2_00786CA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	6_2_0075CD10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	6_2_00764EA3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esp+20h]	6_2_00758FE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 4x nop then mov edx, dword ptr [esi+70h]	6_2_00772FA5

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: pillowbrocccolipe.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop
Source: Malware configuration extractor	URLs: diskretainvigorousiw.shop
Source: Malware configuration extractor	URLs: affordcharmcropwo.shop
Source: Malware configuration extractor	URLs: dismissalcylinderhostw.shop
Source: Malware configuration extractor	URLs: enthusiasimtitleow.shop
Source: Malware configuration extractor	URLs: worryfillvolcawoi.shop
Source: Malware configuration extractor	URLs: cleartotalfisherwo.shop
Source: Malware configuration extractor	URLs: communicationgenerwo.shop

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5437Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1409Host: communicationgenerwo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 578178Host: communicationgenerwo.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: communicationgenerwo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: communicationgenerwo.shop

Source: tatuJHXSR4.exe	String found in binary or memory: http://.css
Source: tatuJHXSR4.exe	String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: tatuJHXSR4.exe	String found in binary or memory: http://html4/loose.dtd
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000006.00000003.2410160879.0000000004F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2399660238.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2438068183.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2390908646.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2421582316.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000002.2470262313.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469516555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2399536354.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469492736.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2445231733.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2437752954.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000002.2470058526.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2391702013.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/
Source: BitLockerToGo.exe, 00000006.00000003.2390908646.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2391702013.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/Ri
Source: BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/Xi
Source: BitLockerToGo.exe, 00000006.00000003.2421582316.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/api
Source: BitLockerToGo.exe, 00000006.00000003.2438068183.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2445231733.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2437752954.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/api/
Source: BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/api9J
Source: BitLockerToGo.exe, 00000006.00000002.2470262313.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469516555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469492736.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/apidZ
Source: BitLockerToGo.exe, 00000006.00000003.2382775639.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/apilJ
Source: BitLockerToGo.exe, 00000006.00000003.2399536354.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/apix
Source: BitLockerToGo.exe, 00000006.00000002.2470262313.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469516555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2469492736.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/e
Source: BitLockerToGo.exe, 00000006.00000003.2445231733.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://communicationgenerwo.shop/y
Source: BitLockerToGo.exe, 00000006.00000003.2391425927.0000000004F89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000006.00000003.2391425927.0000000004F89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000006.00000003.2391425927.0000000004F89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tatuJHXSR4.exe	String found in binary or memory: https://login.chinacloudapi.cn/no_standard_descript
Source: tatuJHXSR4.exe	String found in binary or memory: https://login.microsoftonline.com/%s
Source: tatuJHXSR4.exe	String found in binary or memory: https://login.microsoftonline.us/application/x-www-for
Source: tatuJHXSR4.exe	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictcorruption
Source: BitLockerToGo.exe, 00000006.00000003.2411688057.000000000506E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000006.00000003.2411688057.000000000506E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000006.00000003.2412615087.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: BitLockerToGo.exe, 00000006.00000003.2412615087.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: BitLockerToGo.exe, 00000006.00000003.2411688057.000000000506E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: BitLockerToGo.exe, 00000006.00000003.2411688057.000000000506E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: BitLockerToGo.exe, 00000006.00000003.2411688057.000000000506E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.166.251:443 -> 192.168.2.6:49735 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 6_2_0077A1C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0077A1C0

Contains functionality to read the clipboard data

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 6_2_0077A1C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_0077A1C0

Contains functionality to record screenshots

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 6_2_0077A3A0 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

6_2_0077A3A0

Contains functionality to call native functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00764160 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00764160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00765280 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00765280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00783316 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00783316
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076447E NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076447E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00765465 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00765465
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00766430 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00766430
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786500 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007866E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007866E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007878F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007878F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007838D4 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtClose,	6_2_007838D4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00768890 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00768890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786920 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00764A59 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00764A59
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786A40 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786A40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00768AC0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00768AC0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00770B61 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00770B61
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076DC00 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786D30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786D30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786E40 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786E40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00783E33 NtOpenSection,	6_2_00783E33
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00783E87 NtMapViewOfSection,	6_2_00783E87
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00781F90 NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlAllocateHeap,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00781F90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076902E NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076902E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076D000 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076D000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00787160 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00787160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00780260 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00780260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007822E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007822E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007662B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007662B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076A2B9 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076A2B9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00762384 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00762384
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076A46F NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076A46F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00787500 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00787500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007825E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007825E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076C6C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076C6C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00782740 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00782740
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00769732 GetProcAddress,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,RtlExpandEnvironmentStrings,RtlExpandEnvironmentStrings,	6_2_00769732
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007627DB NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_007627DB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00782850 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00782850
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076C820 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076C820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00782980 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00782980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00782A90 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00782A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00786B70 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_00786B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00783EE2 NtClose,	6_2_00783EE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076FF68 NtAllocateVirtualMemory,NtFreeVirtualMemory,	6_2_0076FF68

Detected potential crypto function

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00754750	6_2_00754750
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00751710	6_2_00751710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076DC00	6_2_0076DC00
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00756070	6_2_00756070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076902E	6_2_0076902E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00780010	6_2_00780010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00751000	6_2_00751000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0076D000	6_2_0076D000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00787160	6_2_00787160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00775152	6_2_00775152
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00760180	6_2_00760180
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007532B0	6_2_007532B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00755300	6_2_00755300
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00787500	6_2_00787500
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00756650	6_2_00756650
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00769732	6_2_00769732
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00758820	6_2_00758820
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_007788D9	6_2_007788D9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_0077697D	6_2_0077697D
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00773992	6_2_00773992
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00782A90	6_2_00782A90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00757BF0	6_2_00757BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00753D10	6_2_00753D10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00774DE2	6_2_00774DE2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_2_00752EA0	6_2_00752EA0

Found potential string decryption / allocating functions

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00758D50 appears 167 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: String function: 00758630 appears 42 times

PE file contains more sections than normal

Source: tatuJHXSR4.exe

Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000262000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs tatuJHXSR4.exe
Source: tatuJHXSR4.exe, 00000003.00000000.2197246693.00007FF67ED12000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDataNames-Setup-x64.exe< vs tatuJHXSR4.exe
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C000180000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs tatuJHXSR4.exe
Source: tatuJHXSR4.exe, 00000003.00000003.2359889162.0000022464A50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs tatuJHXSR4.exe
Source: tatuJHXSR4.exe	Binary or memory string: OriginalFilenameDataNames-Setup-x64.exe< vs tatuJHXSR4.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: tatuJHXSR4.exe

Binary string: Type.Indirect argument 1SliceType.Len argument 1SliceType.Cap argument 1brotli: Read after Closeinvalid pattern syntax: address string too shortresource length too longunpacking Question.Classinvalid field number: %dmismatching enum lengthsidna: disallowed rune %Utoken used before issuedtoken has invalid issuertoken has invalid claims\Device\NamedPipe\cygwindictionary read error %sdecoder used after ClosemaxSymbolValue too smallsymbolLen (%d) too smallGODEBUG sys/cpu: value "", required CPU feature

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@2/1

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 6_2_0077802C CoCreateInstance,

6_2_0077802C

Source: C:\Users\user\Desktop\tatuJHXSR4.exe

File created: C:\Users\Public\Libraries\khlep.scif

Source: tatuJHXSR4.exe	String found in binary or memory: y/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virtu
Source: tatuJHXSR4.exe	String found in binary or memory: y/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virtu
Source: tatuJHXSR4.exe	String found in binary or memory: pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: fai
Source: tatuJHXSR4.exe	String found in binary or memory: pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: fai
Source: tatuJHXSR4.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: tatuJHXSR4.exe	String found in binary or memory: net/addrselect.go
Source: tatuJHXSR4.exe	String found in binary or memory: github.com/saferwall/pe@v1.4.8/loadconfig.go

Source: unknown	Process created: C:\Users\user\Desktop\tatuJHXSR4.exe "C:\Users\user\Desktop\tatuJHXSR4.exe"
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior

Source: tatuJHXSR4.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43dc00
Source: tatuJHXSR4.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x501e00

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66CB pushfd ; retf	6_3_00CF66CE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66CB pushfd ; retf	6_3_00CF66CE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66CB pushfd ; retf	6_3_00CF66CE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66C8 pushfd ; retf	6_3_00CF66CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66C8 pushfd ; retf	6_3_00CF66CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF66C8 pushfd ; retf	6_3_00CF66CA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52DB push edx; iretd	6_3_00CF52DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52DB push edx; iretd	6_3_00CF52DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52DB push edx; iretd	6_3_00CF52DE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52D9 push edx; iretd	6_3_00CF52DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52D9 push edx; iretd	6_3_00CF52DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52D9 push edx; iretd	6_3_00CF52DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF50EE push eax; iretd	6_3_00CF5126
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF50EE push eax; iretd	6_3_00CF5126
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF50EE push eax; iretd	6_3_00CF5126
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF529C push edx; iretd	6_3_00CF529E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF529C push edx; iretd	6_3_00CF529E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF529C push edx; iretd	6_3_00CF529E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5899 push esi; iretd	6_3_00CF589A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5899 push esi; iretd	6_3_00CF589A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5899 push esi; iretd	6_3_00CF589A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52A0 push edx; iretd	6_3_00CF52A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52A0 push edx; iretd	6_3_00CF52A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF52A0 push edx; iretd	6_3_00CF52A2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5679 push edi; iretd	6_3_00CF567A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5679 push edi; iretd	6_3_00CF567A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5679 push edi; iretd	6_3_00CF567A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5671 push esi; iretd	6_3_00CF5672
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5671 push esi; iretd	6_3_00CF5672
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5671 push esi; iretd	6_3_00CF5672
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 6_3_00CF5204 push eax; iretd	6_3_00CF51CA

Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7644	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7640	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2399660238.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2445231733.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2390908646.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2421582316.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2438068183.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2437752954.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000002.2470058526.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000006.00000003.2391702013.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: BitLockerToGo.exe, 00000006.00000003.2400786430.0000000004F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: tatuJHXSR4.exe, 00000003.00000002.2379008656.000002243F4A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: BitLockerToGo.exe, 00000006.00000002.2470058526.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: BitLockerToGo.exe, 00000006.00000003.2401171065.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pillowbrocccolipe.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: communicationgenerwo.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: diskretainvigorousiw.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: affordcharmcropwo.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: dismissalcylinderhostw.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: enthusiasimtitleow.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: worryfillvolcawoi.shop
Source: tatuJHXSR4.exe, 00000003.00000002.2374945365.000000C0002D6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: cleartotalfisherwo.shop

Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 750000			Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 8B3008			Jump to behavior

Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Users\user\Desktop\tatuJHXSR4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tatuJHXSR4.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: BitLockerToGo.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe	String found in binary or memory: Wallets/Exodus
Source: BitLockerToGo.exe, 00000006.00000003.2391702013.0000000000C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: BitLockerToGo.exe, 00000006.00000003.2409563726.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: BitLockerToGo.exe, 00000006.00000003.2438068183.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000006.00000002.2469778944.0000000000718000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: 3vC:\Users\user\AppData\Roaming\Ledger Live$3v%appdata%\Ledger Liven2v*n+v

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\KLIZUSIQEN	Jump to behavior

Name	Malicious	Antivirus Detection	Reputation
https://communicationgenerwo.shop/api	false	Avira URL Cloud: safe	unknown
communicationgenerwo.shop	true	Avira URL Cloud: safe	unknown
pillowbrocccolipe.shop	true	Avira URL Cloud: safe	unknown
enthusiasimtitleow.shop	true	Avira URL Cloud: safe	unknown
worryfillvolcawoi.shop	true	Avira URL Cloud: safe	unknown
dismissalcylinderhostw.shop	true	Avira URL Cloud: safe	unknown
diskretainvigorousiw.shop	true	Avira URL Cloud: safe	unknown
cleartotalfisherwo.shop	true	Avira URL Cloud: safe	unknown
affordcharmcropwo.shop	true	Avira URL Cloud: safe	unknown

ID:	1416003
Product:	CloudBasic
Start time:	18:22:09
Start date:	26.03.2024
Sample:	tatuJHXSR4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2a5f40e3ee04057e88c8b794ff258fd4
SHA1:	590e7f9870f13c8a2c060a6f2cb1bdf97901605c
SHA256:	30e8530fe027064f03f21e5dfc5d560338f8781c8133885b223ff3456ff16b65
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report tatuJHXSR4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
tatuJHXSR4.exe

Malware Threat Intel
Provided by